Terraform 0.14: Suppressing Variable Values in CLI Output Feedback

In Terraform 0.14, you will be able to define a sensitive argument on variable blocks, which would redact that value from CLI output. In the current alpha release, you can use this feature by turning on it in the experiments section of the terraform block:

terraform {
  experiments = [sensitive_variables]

With the experiment enabled, you’ll be able to add the sensitive argument to any variable block:

variable "something_not_to_print" {
  default   = "special value"
  sensitive = true

You’ll only need the experiments setting for alpha release usage – beta+ 0.14 releases will not have this as experimental.

Setting a variable as sensitive prevents Terraform from showing its value in the plan or apply output, when that variable is used within a configuration.

Sensitive values are still recorded in the state, and so will be visible to anyone who is able to access the state data. For more information, see Sensitive Data in State.

A provider can define an attribute as sensitive, which prevents the value of that attribute from being displayed in logs or regular output. The sensitive argument on variables allows users to replicate this behavior for values in their configuration, by defining a variable as sensitive.

Define a variable as sensitive by setting the sensitive argument to true:

variable "user_information" {
  type = object({
    name    = string
    address = string
  sensitive = true

resource "some_resource" "a" {
  name    = var.user_information.name
  address = var.user_information.address

Using this variable throughout your configuration will obfuscate the value from display in plan or apply output:

Terraform will perform the following actions:

  # some_resource.a will be created
  + resource "some_resource" "a" {
      + name    = (sensitive)
      + address = (sensitive)

Plan: 1 to add, 0 to change, 0 to destroy.

In some cases where a sensitive variable is used in a nested block, the whole block can be redacted. This happens with resources which can have multiple blocks of the same type, where the values must be unique. This looks like:

# main.tf

resource "some_resource" "a" {
  nested_block {
    user_information  = var.user_information # a sensitive variable
    other_information = "not sensitive data"

# CLI output

Terraform will perform the following actions:

  # some_resource.a will be updated in-place
  ~ resource "some_resource" "a" {
      ~ nested_block {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.

Cases where Terraform may disclose a sensitive variable

A sensitive variable is a configuration-centered concept, and values are sent to providers without any obfuscation. A provider error could disclose a value if that value is included in the error message. For example, a provider might return the following error even if “foo” is a sensitive value: "Invalid value 'foo' for field"

If a resource attribute is used as, or part of, the provider-defined resource id, an apply will disclose the value. In the example below, the prefix attribute has been set to a sensitive variable, but then that value (“jae”) is later disclosed as part of the resource id:

  # random_pet.animal will be created
  + resource "random_pet" "animal" {
      + id        = (known after apply)
      + length    = 2
      + prefix    = (sensitive)
      + separator = "-"

Plan: 1 to add, 0 to change, 0 to destroy.


random_pet.animal: Creating...
random_pet.animal: Creation complete after 0s [id=jae-known-mongoose]

Known bugs/future work

As this is pre-release work, there are a few major known issues to note that we intend to either resolve, or provide logical errors (thus saving you time in reporting here :slight_smile: ).

Using sensitive variables in some expressions

Using a sensitive variable in some functions, such as join, or in a for expression will not work and either panic or have a confusing error at the moment.

Changing sensitivity without changing the value

If the only thing that has changed about a variable from one plan to the next is the sensitive attribute, Terraform’s understanding of the “sensitivity” of the variable will not change until the value of the variable changes. This will be fixed by the beta release of 0.14.

Thanks for checking it out!

Pam Selle, Terraform Core Team